Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
3.36.0
-
2
-
2
-
non-concept
-
2
Description
When a user authenticated with a different realm like SAML realm attempts to access userToken via nexus UI, then it produces an Access Error. "You must authenticate successfully to access your token" In the nexus logs we see this error:
2022-01-04 16:45:07,830+1100 WARN [qtp46267572-324] test_saml org.sonatype.nexus.siesta.internal.UnexpectedExceptionMapper - (ID 0b04c5cd-f471-4727-b211-0d4af139207f) Unexpected exception: java.lang.IllegalStateException: Failed to create user-token record; giving up after 11 attempts
java.lang.IllegalStateException: Failed to create user-token record; giving up after 11 attempts
at com.google.common.base.Preconditions.checkState(Preconditions.java:562)
at com.sonatype.nexus.usertoken.plugin.internal.UserTokenServiceImpl.create(UserTokenServiceImpl.java:341)
at com.sonatype.nexus.usertoken.plugin.internal.UserTokenServiceImpl.current(UserTokenServiceImpl.java:251)
at com.sonatype.nexus.usertoken.plugin.api.CurrentUserUserTokenApiResource.readUserToken(CurrentUserUserTokenApiResource.java:77)
at org.sonatype.nexus.validation.internal.ValidationInterceptor.invoke(ValidationInterceptor.java:53)
at org.apache.shiro.guice.aop.AopAllianceMethodInvocationAdapter.proceed(AopAllianceMethodInvocationAdapter.java:49)
at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:68)
at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36)
at org.apache.shiro.guice.aop.AopAllianceMethodInvocationAdapter.proceed(AopAllianceMethodInvocationAdapter.java:49)
at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:68)
at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
.
.
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at com.codahale.metrics.jetty9.InstrumentedHandler.handle(InstrumentedHandler.java:239)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:386)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
at java.lang.Thread.run(Thread.java:748)
2022-01-04 16:45:07,830+1100 WARN [qtp46267572-324] test_saml org.sonatype.nexus.siesta.internal.UnexpectedExceptionMapper - (ID 0b04c5cd-f471-4727-b211-0d4af139207f) Response: [500] 'ERROR: (ID 0b04c5cd-f471-4727-b211-0d4af139207f) java.lang.IllegalStateException: Failed to create user-token record; giving up after 11 attempts'; mapped from: java.lang.IllegalStateException: Failed to create user-token record; giving up after 11 attempts
In the request.log we can see 500 error :
192.168.56.1 - test_saml [04/Jan/2022:16:45:07 +1100] "GET /service/rest/internal/current-user/user-token?authToken=WjVsRxxxxxxM5RjJPK3Qxd0wwb29RVTdpNlRtdEVIYmRJUlBTdmRLVnRIV3U2K2ZqVCtNODJxWDRHbGQwcUxrblB6Q0RPSDxxxxxxxxxx==&_dc=1641275106793 HTTP/1.1" 500 - 145 1076 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" [qtp46267572-324]
Steps to reproduce:
1. Setup NXRM 3.36.0 with Postgres DB.
2. Setup SAML authentication.
3. Create a user "test_saml" in SAML IDP as well as inside the nexus Default embedded user base Or may be inside LDAP.
4. Make sure that the user has correct privileges to be able to create user tokens.
5. Login to Nexus UI as test_saml user without SSO and create a userToken.
6. Logout as 'test_saml' user.
7. Login to Nexus UI as 'test_saml' via SAML SSO.
8. Try creating userToken, and it should produce above kind of errors.
Observation:
The "user_token" table schema is different in OrientDB vs PostgresDB. In postgres the primary key in user_token is user_name, in OrientDb it is namecode.
Expected:
User should be able to generate User Tokens without any issue.
Attachments
Issue Links
- relates
-
-
- Closed
-
